Ensuring EHRs Are Secure: A New ApproachOnce 'Meaningful Use' Program Ends, How Will Software Standards Be Enforced?
If federal regulators pull the plug on the HITECH Act's "meaningful use" incentive program for electronic health records, they must devise bold new ways to help ensure that data stored in EHR systems is secure.
A federal official announced on Jan. 11 plans to end the meaningful use program and replace it with a new program focused, among other things, on paying providers for generating better outcomes (see: If EHR Incentive Program is Ending, What's Next?).
"I'm sure that the switch will cause some confusion within the provider community - as any change does."
The meaningful use program requires providers to use EHR software that's certified as meeting a long list of functionality. And one insider tells me that some form of software certification will continue even if meaningful use incentives end. What's not clear is exactly how a requirement to use certified software would be enforced if HITECH dollars are no longer an incentive for healthcare providers to implement those products.
Based on recent conversations I've had with some security leaders, it's clear that many EHR vendors need to make security more of a priority.
A healthcare sector CISO, who asked not to be named, recently told me he believes that some EHR software and clinical trial management systems vendors come up short when it comes to security, with "holes big enough to drive a truck through."
Few EHR vendors appear to do regular, comprehensive security audits or scans on their software, he charges. Vulnerabilities and bugs often aren't found or don't get addressed, especially by some of the smaller, lesser-known vendors who often cater to smaller clinics and doctors by offering less expensive solutions.
Some of the shoddy design of EHRs and related products are ticking time-bombs, with vulnerabilities that could easily be taken advantage of by cyber-attackers, he contends.
EHR Certification Continues
Security expert and federal adviser Dixie Baker tells me that regulators will continue to focus attention on the security of EHR software and other health IT products through the Office of the National Coordinator for Health IT's software certification program even if the meaningful use program ends.
ONC last October issued the final rule for the 2015 Edition Health Information Technology Certification Criteria.
Baker, senior partner at consulting firm Martin, Blanck and Associates, and longtime member of the HIT Standards Committee, which advises the ONC, tells me CMS officials briefed members of the HIT Policy and Standards Committees in October about the plan to transition away from the meaningful use program. "The plan made sense," Baker says.
"The software certification program will continue, with some important changes."
"It's time to move on aggressively toward outcomes-based reimbursement, and their plan for a merit-based incentive payment system, MIPS, seemed logical," she says. "That said, I'm sure that the switch will cause some confusion within the provider community - as any change does."
But even as the meaningful use program transitions to something new, "the [software] certification program will continue, with some important changes," she says. For one, ONC in the recent final rule is expanding the program beyond EHR technology to broader "health information technology" certification, she says. "And most important for privacy and security, they are changing the way that products are certified against the security standards and criteria," she adds.
In the initial ONC software certification program, all products - complete EHRs and EHR modules - submitted for certification were certified against all of the security criteria, she says. "But the criteria really were not equally applicable to all products, particularly for some of the more specialized 'EHR modules,' so they changed the criteria so that products that were submitted for certification as 'EHR modules' could choose whether they would be certified against the security criteria," she explains.
To win HITECH incentive payments, providers needed to ensure that the set of modules they purchased met the "base EHR definition," which included the security criteria, she says. "But the only certification class that was required to meet all the requirements in the 'base EHR definition' were "complete EHRs,'" she says.
So, if a provider chose to purchase and integrate a set of certified "EHR modules," the healthcare provider would be responsible for demonstrating that the integrated set met the "base EHR definition," she says. However, that meant it was possible that none of the modules could meet the security criteria, she says.
"The HITSC Privacy and Security Working Group argued against this approach, but ultimately realized that, in fact, some EHR modules may not need to address all of the criteria," she says. For instance, depending on the function of the software, not all modules might need to feature automatic access time-out or require end-user device encryption.
"So we proposed an approach whereby the healthcare functions for which an EHR module was submitted for certification would determine whether that module needed to be certified against this security criteria," she says. "We were very pleased to see that this approach was adopted in the final rule released last October."
EHR Vendors: A Call to Action
While the health IT products submitted for certification must specific security and privacy criteria, some CISOs insist that EHR vendors still have a long, long way to go when it comes to protecting patient data.
That's why it's so important that as the software certification program evolves, federal regulators devise innovative ways to ensure the security functions of EHRs continue to improve - and that providers take full advantage of those features.
Editor's Note: On Jan. 19, officials of the Center for Medicare and Medicaid Services and ONC posted a blog clarifying that proposed regulations to replace the meaningful use rules won't be released until the spring. So for now, "existing regulations - including meaningful use Stage 3 - are still in effect."